Most companies have some sort of password creation policy in place to keep users from choosing simple codes such as “12345″ or “password” to protect sensitive company documents. But not all of those policies actually result in strong passwords.
That’s the conclusion from the recent study, “Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords,” from researchers at Florida State University.
For example, the researchers looked at the common practice of requiring passwords to be a certain length. In theory, that’s an effective way to boost security — an eight-character string has exponentially more possible combinations than a six-character string, for instance.
In practice, though, longer passwords aren’t exponentially more difficult to crack. That’s because, without other rules in place, most people will simply use a longer common word or phrase for their password. So hackers can still use so-called dictionary attacks to guess the password.
That’s why when the researchers tested their ability to crack lists of passwords — taken from real-life password lists that had been stolen by hackers and publicly disclosed — longer passwords were tougher to crack, but not as much as one might expect.
The same goes for passwords that require a numerical character. Among the password lists used for the study, those using a number most commonly consisted of something like “123456,” or a common word followed by a “1.”
So what are some effective ways to improve password security in your company? The study pointed out that requiring special characters (such as punctuation marks) could make passwords significantly more difficult to crack, since those tend to be used in more varied ways than numbers.
Another possible tactic: Along with enforcing a password creation policy, businesses can use a software solution to create a password blacklist to block users from choosing too-common passwords.
To read the whole study, download it here.